{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,24]],"date-time":"2026-02-24T18:36:51Z","timestamp":1771958211611,"version":"3.50.1"},"reference-count":33,"publisher":"MDPI AG","issue":"12","license":[{"start":{"date-parts":[[2025,11,28]],"date-time":"2025-11-28T00:00:00Z","timestamp":1764288000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100016969","name":"Universidad Polit\u00e9cnica Salesiana","doi-asserted-by":"crossref","id":[{"id":"10.13039\/100016969","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Algorithms"],"abstract":"<jats:p>Intrusion detection systems (IDSs) must balance detection quality with operational transparency. We present a deterministic, leakage-free comparison of three classical classifiers: Na\u00efve Bayes (NB), Logistic Regression (LR), and Linear Discriminant Analysis (LDA). We also propose a hybrid pipeline that trains LR on Autoencoder embeddings (AE). Experiments use NSL-KDD and CICIDS2017 under two regimes (with\/without SMOTE (Synthetic Minority Oversampling Technique) applied only on training data). All preprocessing (one-hot encoding, scaling, and imputation) is fitted on the training split; fixed seeds and deterministic TensorFlow settings ensure exact reproducibility. We report a complete metric set\u2014Accuracy, Precision, Recall, F1, Area Under the Curve (AUC), and False Alarm Rate (FAR)\u2014and release a replication package (code, preprocessing artifacts, and saved prediction scores) to regenerate all reported tables and metrics. On NSL-KDD, AE+LR yields the highest AUC (\u22480.904) and the strongest F1 among the evaluated models (e.g., 0.7583 with SMOTE), while LDA slightly edges LR on Accuracy\/F1. NB attains very high Precision (\u22480.98) but low Recall (\u22480.24), resulting in the weakest F1, yet a low FAR due to conservative decisions. On CICIDS2017, LR delivers the best Accuracy\/F1 (0.9878\/0.9752 without SMOTE), with AE+LR close behind; both approach ceiling AUC (\u22480.996). SMOTE provides modest gains on NSL-KDD and limited benefits on CICIDS2017. Overall, LR\/LDA remain strong, interpretable baselines, while AE+LR improves separability (AUC) without sacrificing a simple, auditable decision layer for practical IDS deployment.<\/jats:p>","DOI":"10.3390\/a18120749","type":"journal-article","created":{"date-parts":[[2025,11,28]],"date-time":"2025-11-28T11:19:51Z","timestamp":1764328791000},"page":"749","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["A Deterministic Comparison of Classical Machine Learning and Hybrid Deep Representation Models for Intrusion Detection on NSL-KDD and CICIDS2017"],"prefix":"10.3390","volume":"18","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7056-8588","authenticated-orcid":false,"given":"Miguel","family":"Arcos-Argudo","sequence":"first","affiliation":[{"name":"Department of Advanced Computing and Data Research Group, Universidad Polit\u00e9cnica Salesiana, Cuenca 010102, Ecuador"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6045-8692","authenticated-orcid":false,"given":"Rodolfo","family":"Bojorque","sequence":"additional","affiliation":[{"name":"Department of Advanced Computing and Data Research Group, Universidad Polit\u00e9cnica Salesiana, Cuenca 010102, Ecuador"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-5893-6047","authenticated-orcid":false,"given":"Andr\u00e9s","family":"Torres","sequence":"additional","affiliation":[{"name":"Information Technology Department, Universidad Cat\u00f3lica de Cuenca, Cuenca 010101, Ecuador"}]}],"member":"1968","published-online":{"date-parts":[[2025,11,28]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Ali, M.L., Thakur, K., Schmeelk, S., Debello, J., and Dragos, D. (1903). Deep Learning vs. Machine Learning for Intrusion Detection in Computer Networks: A Comparative Study. Appl. Sci., 15.","DOI":"10.3390\/app15041903"},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Roy, D.K., and Kalita, H.K. (2025). Enhanced deep autoencoder-based reinforcement learning model with improved flamingo search policy selection for attack classification. J. Cybersecur. Priv., 5.","DOI":"10.3390\/jcp5010003"},{"key":"ref_3","first-page":"637","article-title":"Improving intrusion detection using LSTM-RNN to protect drones\u2019 networks","volume":"27","author":"Elhamahmy","year":"2024","journal-title":"Egypt. Inform. J."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"350","DOI":"10.3390\/make4020015","article-title":"An Attention-Based ConvLSTM Autoencoder with Dynamic Thresholding for Unsupervised Anomaly Detection in Multivariate Time Series","volume":"4","author":"Tayeh","year":"2022","journal-title":"Mach. Learn. Knowl. Extr."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"868","DOI":"10.3390\/make5030046","article-title":"Autoencoder Feature Residuals for Network Intrusion Detection: One-Class Pretraining for Improved Performance","volume":"5","author":"Lewandowski","year":"2023","journal-title":"Mach. Learn. Knowl. Extr."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"20","DOI":"10.3390\/make7010020","article-title":"Enhancing Performance of Credit Card Model by Utilizing LSTM Networks and XGBoost Algorithms","volume":"7","author":"Kandi","year":"2025","journal-title":"Mach. Learn. Knowl. Extr."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Dash, N., Chakravarty, S., Rath, A.K., Giri, N.C., and Gowtham, N. (2025). An optimized LSTM-based deep learning model for anomaly network intrusion detection. Sci. Rep., 15.","DOI":"10.1038\/s41598-025-85248-z"},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"21","DOI":"10.3390\/make7010021","article-title":"Comparative Analysis of Perturbation Techniques in LIME for Intrusion Detection Enhancement","volume":"7","author":"Bacevicius","year":"2025","journal-title":"Mach. Learn. Knowl. Extr."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"34113","DOI":"10.1109\/JIOT.2025.3577332","article-title":"Heterogeneous Secure Transmissions in IRS-Assisted NOMA Communications: CO-GNN Approach","volume":"12","author":"Liang","year":"2025","journal-title":"IEEE Internet Things J."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"e1552","DOI":"10.7717\/peerj-cs.1552","article-title":"Optimization of predictive performance of intrusion detection system using hybrid ensemble model for secure systems","volume":"9","author":"Abbas","year":"2023","journal-title":"PeerJ Comput. Sci."},{"key":"ref_11","unstructured":"Canadian Institute for Cybersecurity (CIC), and University of New Brunswick (2025, February 11). NSL-KDD Intrusion Detection Dataset. Available online: https:\/\/github.com\/Jehuty4949\/NSL_KDD."},{"key":"ref_12","unstructured":"Canadian Institute for Cybersecurity (2025, February 05). CICIDS2017 Dataset. University of New Brunswick. Available online: https:\/\/www.unb.ca\/cic\/datasets\/ids-2017.html."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"629","DOI":"10.3390\/jcp2030032","article-title":"MOCA: A network intrusion monitoring and classification system","volume":"2","author":"Fuhr","year":"2022","journal-title":"J. Cybersecur. Priv."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"102158","DOI":"10.1016\/j.cose.2020.102158","article-title":"An effective intrusion detection approach using SVM with na\u00efve Bayes feature embedding","volume":"103","author":"Gu","year":"2021","journal-title":"Comput. Secur."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"1625","DOI":"10.32604\/csse.2023.025669","article-title":"Wrapper Based Linear Discriminant Analysis (LDA) for Intrusion Detection in IIoT","volume":"45","author":"Yasotha","year":"2023","journal-title":"Comput. Syst. Sci. Eng."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"451","DOI":"10.3390\/jcp3030023","article-title":"A deep learning approach for network intrusion detection using a small features vector","volume":"3","author":"Ghani","year":"2023","journal-title":"J. Cybersecur. Priv."},{"key":"ref_17","first-page":"291","article-title":"Detection of DDoS Attacks in Computer Networks Using Deep Learning","volume":"2392","author":"Calle","year":"2024","journal-title":"Commun. Comput. Inf. Sci."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Song, Y., Hyun, S., and Cheong, Y.-G. (2021). Analysis of Autoencoders for Network Intrusion Detection. Sensors, 21.","DOI":"10.3390\/s21134294"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"140136","DOI":"10.1109\/ACCESS.2021.3116612","article-title":"Improving performance of autoencoder-based network anomaly detection on NSL-KDD dataset","volume":"9","author":"Xu","year":"2021","journal-title":"IEEE Access"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"276","DOI":"10.1016\/j.future.2021.09.027","article-title":"A lightweight supervised intrusion detection mechanism for IoT networks","volume":"127","author":"Roy","year":"2022","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"107694","DOI":"10.1016\/j.compeleceng.2022.107694","article-title":"Two-step ensemble approach for intrusion detection and identification in IoT and fog computing environments","volume":"98","author":"Westphall","year":"2022","journal-title":"Comput. Electr. Eng."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"102499","DOI":"10.1016\/j.cose.2021.102499","article-title":"CSE-IDS: Using cost-sensitive deep learning and ensemble algorithms to handle class imbalance in network-based intrusion detection systems","volume":"112","author":"Gupta","year":"2022","journal-title":"Comput. Secur."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"109863","DOI":"10.1016\/j.compeleceng.2024.109863","article-title":"A Comprehensive Survey on Intrusion Detection Algorithms","volume":"121","author":"Li","year":"2025","journal-title":"Comput. Electr. Eng."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Sharafaldin, I., Lashkari, A.H., and Ghorbani, A.A. (2018, January 22\u201324). Toward generating a new intrusion detection dataset and intrusion traffic characterization. Proceedings of the 4th International Conference Information Systems Security and Privacy (ICISSP), Madeira, Portugal.","DOI":"10.5220\/0006639801080116"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Sayegh, K., Khanduja, S., and Holt, A.G.J. (2024). Enhanced Intrusion Detection with LSTM-Based Model, Feature Selection, and SMOTE for Imbalanced Data. Appl. Sci., 14.","DOI":"10.3390\/app14020479"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"12305","DOI":"10.1002\/int.23088","article-title":"Explainable Machine Learning in Cybersecurity: A Survey","volume":"37","author":"Yan","year":"2022","journal-title":"Int. J. Intell. Syst."},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"82","DOI":"10.1007\/s10922-023-09767-8","article-title":"Deep Learning Based Hybrid Intrusion Detection Systems to Protect Satellite Networks","volume":"31","author":"Azar","year":"2023","journal-title":"J. Netw. Syst. Manag."},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Abdulhammed, R., Musafer, H., Alessa, A., Faezipour, M., and Abuzneid, A. (2019). Features Dimensionality Reduction Approaches for Machine Learning Based Network Intrusion Detection. Electronics, 8.","DOI":"10.3390\/electronics8030322"},{"key":"ref_29","unstructured":"(2025, November 01). Scikit-Learn: Documentation for LinearDiscriminantAnalysis. Scikit-Learn Project 2025, Stable. Available online: https:\/\/scikit-learn.org\/stable\/modules\/generated\/sklearn.discriminant_analysis.LinearDiscriminantAnalysis.html."},{"key":"ref_30","unstructured":"Arcos, M. (2025, November 01). IDS-KDD-CICIDS2017. GitHub Repository. Available online: https:\/\/github.com\/miguelarcosa\/IDS-KDD-CICIDS2017.git."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"108768","DOI":"10.1016\/j.asoc.2022.108768","article-title":"A two-stage intrusion detection system with autoencoder and LSTMs","volume":"121","author":"Umer","year":"2022","journal-title":"Appl. Soft Comput."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"102600","DOI":"10.1016\/j.cose.2021.102600","article-title":"An efficient network behavior anomaly detection using a hybrid DBN-LSTM network","volume":"114","author":"Chen","year":"2022","journal-title":"Comput. Secur."},{"key":"ref_33","unstructured":"Liu, L., Engelen, G., Lynar, T., Essam, D., and Joosen, W. (October, January 30). Error Prevalence in NIDS Datasets: A Case Study on CIC-IDS-2017 and CSE-CIC-IDS-2018. Proceedings of the IEEE Conference on Communications and Network Security (CNS), Taipei, Taiwan."}],"container-title":["Algorithms"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-4893\/18\/12\/749\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,30]],"date-time":"2025-11-30T05:22:32Z","timestamp":1764480152000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-4893\/18\/12\/749"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,28]]},"references-count":33,"journal-issue":{"issue":"12","published-online":{"date-parts":[[2025,12]]}},"alternative-id":["a18120749"],"URL":"https:\/\/doi.org\/10.3390\/a18120749","relation":{},"ISSN":["1999-4893"],"issn-type":[{"value":"1999-4893","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,11,28]]}}}